Welcome to the next installment of our ‘Meet the CrabNebula Team’ series. Each installment will feature a new member of the talented CrabNebula team and cover both the person as well as their work at CrabNebula.
We sat down with Matthias Kandora, a Senior Security Engineer at CrabNebula, to find out how he found his way here. While his primary role is in research, he has been instrumental in setting up security auditing tools specialized for Tauri, which play a crucial role in our Auditing service, as well as organizing the internal knowledge transfer program.
Meet Matthias
Question: When you’re not working at CrabNebula, what’s your favorite thing to do, and why?
Matthias: I don’t do any special activities, besides some körperliche ertüchtigungen outside of work. I also like to read a lot.
Question: Körperliche Ertüchtigungen, what’s that?
Matthias: It translates to physical exercise, or training.
Question: I see. And is there any one in particular you favor?
Matthias: One of my favorite activities so far is riding my bicycle, either through the woods or through the city.
Role at CrabNebula
Question: What are your responsibilities at CrabNebula, and what have you been working on?
Matthias: My field of work is mainly research and engineering. I am currently working on a tool to scan given configurations of Tauri applications. The main intent is to check for insecure settings inside the configuration, provide human-understandable recommendations on how to improve the security, and provide a machine-readable format to apply fixes in an automated way (think of applying a patch via a diff file). Apart from this very specific task, I have a keen interest in conducting research on isolation techniques applicable to Tauri applications that can also be applied elsewhere. The main idea is to prevent access to sensitive data inside an application, as well as confine access to resources from the inside.
The tool I mentioned earlier is called “Confisis”. One integral part of the tool are rules that can be configured to match endpoints and their features (eg. fs
for the former and readFile
for the latter); verbal suggestions as feedback to the developer can be provided; and for specific endpoints, a configuration to check scope settings can also be provided.
The engine is flexible when executing rules. Each rule can either be atomic or complex, depending on the successful evaluation of other rules, forming a tree-like data structure. Iteration over the nodes can either be done by visiting the leaves or in topological order. Visiting the leaves is useful to evaluate atomic rules, whereas topological order is used when the whole rule set shall be evaluated.
Another feature that Confisis will ship is a linter for Tauri configurations. With the help of the linter, the user will be provided with more complex information and direct proposals on how the configuration can be fixed, as well as a diff-like output to integrate Confisis into existing build and testing pipelines.
Question: How did you first find out about CrabNebula?
Matthias: I was working as a security engineer at the IOTA foundation, specifically for the project Stronghold - a software-based enclave for sensitive data — alongside Daniel [Thompson-Yvetot, now CEO of CrabNebula], who was leading the project before I took over. I really had fun working in the field of (software) security, and wanted to continue to deepen my skills as well as going deeper on specific topics. The foundation had switched its internal focus, and at that time Daniel reached out and offered me the opportunity to be part of the newly-found security team and be part of the group shaping its direction for the future. This appealed to me and my own goals, and now here I am.
Question: What sort of specific topics were you particularly interested in?
Matthias: What interests me most is working on systems that are able to keep sensitive data secure and are relatively easy to access from a user perspective. Software libraries like Stronghold are an excellent start to integrating a system that takes care of sensitive data from the ground up, but there is so much more to come. As secure hardware modules become more widespread with the introduction of passwordless authentication, the general concept becomes more understandable for the general public. Apart from security software, I am following the hype around “AI” (a term I’m not quite sure fits, but that depends on the understanding and definition of it), especially the large language models (LLMs) and the many applications around it. For most people, AI applications revolve around advanced chat bots or fantastic image generation. What I am mostly interested in is the integration of such models for advanced system testing and hardening. It’s not perfect yet, and human engineers will always be required to adapt to specific situations and think creatively, but so far, AI is here to stay and should be seen as an additional tool to be used.
Question: How did you first get involved in security software development?
Matthias: Mainly through the work at the IOTA foundation, specifically on the project Stronghold, a software enclave to work with secrets (eg. signing, encrypting, decrypting, etc.). It was my first project that took a deep dive into security software and was fun to work with. Parallel to shipping features, we as a team took a deeper look into memory management and how to hide and protect sensitive data, improving the already great design of the library.
Stemming from this project were a lot of new ideas on how to provide a secure element as part of your software. Unfortunately, for most of the parts, I cannot give a deeper insight, but isolation and integrating security hardware are the next logical steps.
Question: What have you been working on since you started at CrabNebula?
Matthias: I have mainly worked in internal tooling, preparing and helping out with security audits, and focusing on the configuration analyzer and linter for Tauri applications. Besides the work from the security team, I also take care of a broader session around internal talks and knowledge transfer, either in the form of presentations or demos.
Question: Given that CrabNebula is a totally remote company, what are your usual/preferred working hours?
Matthias: I like to work mostly in the mornings for more focused work and in the afternoon working on more creative things like write-ups, documentation, etc. Sometimes I shift my focus to work more in the evenings, as it is more silent and focusing is much easier.
Knowledge Transfer
Question: Can you expand on the internal talks and knowledge transfer program you mentioned earlier?
Matthias: One crucial part of a large team, working remotely, is proper knowledge transfer in a way that encourages all colleagues to take part and share their experiences. Internally, we started with a bi-weekly session called “TIL” (short for “Today I Learned”). This format is quite flexible and allows experts from our team to present engaging topics in a way that almost all of their colleagues will find interesting. It also serves as a kind of round table to loosely discuss current topics. In my opinion, it’s a great way to discover topics I haven’t heard about yet or present some things I think will be useful to know about at CrabNebula. It’s actually a lot of fun to present new topics or showcase internal work to my colleagues.
Question: What sort of topics have you been covering or focusing on thus far?
Matthias: We covered a lot of topics, mainly centered around security, Rust programming, and business-related topics like fundraising, strategies, and so on. I try to balance the topics so everyone in the team benefit from the talks, but so far there hasn’t been much need for balancing.
Question: Any other particular topics you see on the horizon that you’d like covered or discussed?
Matthias: Topics around research, or basically cutting-edge stuff, are definitely coming up. I’m considering going deeper into isolation techniques, virtual machines, and so on. Right now, we’re introducing an internal Rust workshop, but this will definitely run in a different session.
Question: Is this the only means of knowledge transfer you have instituted at CrabNebula, or are there other apparatuses in place as well?
Matthias: While ‘TIL’ (Today I Learned) is just one way to provide a fun medium where everyone is invited to share knowledge, it is more or less synchronous, as long as we keep the recording of sessions aspect out of it. We also introduced guilds, which are differentiated from teams insofar as people with the same level of expertise can be asked questions on a specific topic, (eg., Rust, or JavaScript) most of which are programming language-related questions. It’s not a new concept, but still an important one in a purely remote work company.
Question So the guilds are sort of internal helpdesks?
Matthias: You could say so. The only difference is that it’s self-organized.
Question: What about internal training programs? Are you spearheading those as well? What do they consist of or look like?
Matthias: We take a strong stance for internal training by giving equal opportunities to all colleagues. So one of the main ideas is to integrate junior-level engineers early in the development process and give them a certain level of responsibility over a project and the decisions to be made, but it’s something that we excel at integrating into our work culture. I also play a part in this by providing internal training, especially for Rust.
What’s Next
Question: What do you see as the next step, either for you in your role or your department as a whole?
Matthias: What I’m currently appreciating a lot is how well balanced our approach as a team is towards building stable products and services and engineering tasks, as well as the many opportunities to dive into research topics like isolation, specialized micro kernels, etc. For me personally, I do see the security team as much more than just a necessary service layer and some kind of internal counselor for security-related topics, but also as an engineering lab to provide safe software and tooling from which the community can benefit a lot, and eventually all the users taking the myriad of Tauri applications for their day-to-day work. I also have to say that there is definitely a more collaborative approach between the teams inside CN, and not the security teams sole responsibility. I think that’s what I like most, the collaborative atmosphere inside CN.
Question: Thank you! For a final thought, what’s your favorite food?
Matthias: I cannot decide between multiple options, but one in particular is an Indian dish made out of vegetables, potatoes, and rice. It’s called “Punjabi dum aloo”, and I really like to cook it.
Thank you, Matthias, for sharing these insights on the internal knowledge transfer program at CrabNebula! We look forward to future updates on these exciting developments. Find out more here.